The Human Challenges of Rolling Out Multi-Factor Authentication (MFA)

Written by Kate Lake on August 26, 2021

Share This Article

Updated on October 13, 2021

While multi-factor authentication (MFA) isn’t new to most users, user sentiment toward the tool varies widely. For those who have several personal accounts that require MFA, adding another for work is no big deal. These tend to be the early adopters of any new technology IT admins may deploy, and can often be counted on to pilot new systems or adapt to them with minimal issues. Others may be less familiar or willing to adopt the technology, and tend to lag or run into friction when it comes to incorporating it into their work process.

Because most organizations will likely have both MFA champions and hard resisters, sufficiently equipping users is critical to rollout success. In this article, we’ll outline the user-side challenges many employees face when adopting MFA, how IT admins can rectify them, and use JumpCloud Protect, a free MFA tool, as a case study for ensuring smooth rollout and adoption. 

MFA User Challenges and Barriers to Adoption

Understanding the common challenges surrounding MFA adoption is key to determining the right roll out strategies. Generally speaking, MFA may be difficult to deploy because of:

  • Device incompatibility — MFA often requires employees to use their personal devices. Clarify which OS and versions the MFA technology works on, and present alternatives for those on different systems.
  • Setup problems — People learn in different ways; account for this by presenting setup information in more than one way. For example, offer a guided simulation as well as written instructions. Additionally, because users will be setting up the tool on different platforms, they’ll need access to clear steps for their device type. Be sure to provide setup instructions that are unique to each OS. 
  • Lack of understanding of how to use the tool — Perhaps one of the most common MFA challenges is usability. Not many MFA providers include end-user training, so many users are left to learn how to use the technology on their own. Additionally, with many users now working remotely, there’s less of a peer support system and fewer opportunities for offering hands-on help during the adoption period. 

Because this is such a prevalent sticking point, whether an MFA vendor provides user training should be an important consideration factor when weighing different tool options. Having training available can significantly reduce adoption time, improve the user experience, and reduce the security vulnerabilities created by tool misuse or avoidance.

  • Lack of buy-in — If users don’t understand the goal of a tool and why they should use it, they’ll quickly find a way to avoid it or work around it, which creates significant vulnerabilities. Communicate your company’s reasoning for why it’s adopting the tool and how it secures both company data and employees’ personal information. 

Note: While the insecurity of the traditional password may be old news to IT admins, it may not be to the lay user. Most users (and IT admins) use passwords as their only method of security in their personal lives. Try conveying the security benefits of MFA by first explaining the problems with the traditional password

  • Poor user experience — As MFA adoption is already a sticking point, an MFA tool that delivers a poor user experience is unlikely to take hold. 

Addressing These Challenges

To ensure smooth rollout and adequately support their users, IT admins should make sure they enable users in three different stages: 

  • Pre-rollout: Accounting for both early and late adopters, admins need to give users ample time to prepare for new technology adoption. Alert users more than once, and preferably through varied media, to make sure everyone sees the message. In this messaging, include:
    • What to expect. Let users know what’s going to change, where the change will occur, whether they’ll need to use a personal device, and what the UX will look like to avoid surprises.
    • Reasoning for the change. You’re more likely to facilitate buy-in if users understand why the new technology is important. 
    • Steps users need to take before rollout. If users need to download an application, register their device, or take other measures, let them know as early as possible with clear instructions. This will help speed up rollout.
    • Resources to help users prepare. This could include support documents, courses, simulations, demos, and more. Consider making these optional; some users may not need the extra help and some might greatly appreciate it. In the spirit of prioritizing the user experience, allow users to learn in the way that best suits them and avoid forcing them to consume more learning materials than they need to. 
  • Implementation: Implementation should start with training. If the MFA vendor offers training, demos, or other user enablement material, circulate it to employees to offer hands-off guidance. If the tool doesn’t come with user enablement, consider holding training sessions to make sure users adopt and configure the tools correctly.

Give users some time — at least a couple of weeks — to get onboarded and comfortable with the new tool. During this time, make sure they have access to training materials, and IT teams should prepare for an influx of questions and help desk tickets. Even tools with the best training materials will have outliers and employees who need extra help or troubleshooting assistance.

  • Ongoing use: After rollout is complete, IT admins still need to keep an eye on MFA, watching for lockouts, users or devices with disabled MFA, suspicious login attempts, and other issues. Ideally, IT admins should be able to monitor and control MFA through a central dashboard, like the JumpCloud Admin Portal. 

How JumpCloud Protect Combats These Challenges

JumpCloud Protect is a free MFA tool that offers both push notifications and time-based one-time passwords (TOTP) as secondary factors for login. It’s designed to provide a seamless MFA experience that doesn’t require you to manage multiple vendors, which can add friction, hike up costs, and jeopardize security. JumpCloud Protect is easy to implement and manage from the JumpCloud Admin Portal, facilitating smooth and secure rollouts. 

In addition, JumpCloud prioritized the end-user experience throughout the development of the tool to make sure it would be seamless and easy to adopt. The result is an MFA tool that delivers an excellent user experience in the following ways.

User-Friendliness

JumpCloud Protect is designed to be user-friendly from the get-go. It works on both iOS and Android platforms (available from the Apple App Store and Google Play Store), and it’s easy to set up — essentially, users just download the app and scan a QR code in their User Portal to start authenticating with the app (get the full step-by-step here). 

Further, push notifications are some of the easiest MFA factors to use — all it takes is the tap of a button on a push notification that appears on the user’s personal phone or device. Push notifications are available for the JumpCloud User Portal and JumpCloud Single Sign-On (SSO), which includes the majority of what many users will be working with day to day (and are likely most familiar with when it comes to MFA in their personal lives). In addition, it still includes TOTP MFA for authentication to other systems and resources, like their Windows, Mac, or Linux devices, RADIUS, and password change attempts. 

End-User Training

One of the main reasons MFA adoption among users is so difficult is that most providers don’t offer end-user training. They’ll usually offer instructions to the admins setting up the technology, but, often, the users are left to fend for themselves. 

JumpCloud developed training for both IT admins and end users. End-user training includes a course, guided simulations on user enrollment and user login, and support documentation to help users familiarize themselves with the tool, see it in action, and go back and reference support material when they get stuck. 

Easy Management and Troubleshooting

JumpCloud Protect integrates seamlessly with the User Portal and the Admin Portal, making issues easy to spot and troubleshoot. Admins maintain central control over MFA enablement from the Admin Portal, and they can drill down into MFA status by user or device. MFA requirements can be configured into smaller, more specific groups with conditional access policies (like only requiring remote workers to use MFA, for example). Turning MFA on or off for a user or device is as easy as toggling a switch.

Optimizing the MFA User Experience 

The above user experience initiatives help ensure faster adoption, better security, happier and more productive users, and fewer help desk tickets (which means a happier and more productive IT team). And when it’s combined with your directory service, it helps you consolidate vendors and cost.

Because we always keep our users in mind, JumpCloud Protect comes free with every JumpCloud package — including JumpCloud Free — so you can evaluate it in your own environment. That means you can try the JumpCloud Directory Platform and JumpCloud Protect with 10 users and 10 devices at no cost. We’ll even include premium 24×7 in-app live chat support for the first 10 days. Try JumpCloud Protect with JumpCloud Free. 

If you’re already using the JumpCloud directory platform, JumpCloud Protect is free for your organization to start using. Make sure you send users the following resources to get them ready and excited about adopting an easy, user-friendly tool.

Continue Learning with our Newsletter